Statement of Applicability
ISO 27001 Clause 6.1.3 — Effective: March 8, 2026
Document ID: H33-SOA-001
Classification: Internal / Auditor-Accessible
Owner: Eric Beans, CEO / CISO
Approved: March 8, 2026
Next Review: March 2027
Overview
This Statement of Applicability (SoA) documents the applicability and implementation status of all 93 controls defined in ISO 27001:2022 Annex A. Each control is assessed against H33's risk treatment plan and the organization's information security requirements.
The SoA is organized by the four themes of the 2022 standard: Organizational (A.5), People (A.6), Physical (A.7), and Technological (A.8).
93
Total Controls
93
Applicable
82
Implemented
8
Partial
3
Planned
A.5 Organizational Controls (37 controls)
| Control | Name | Appl. | Status | Justification / Implementation Notes |
|---|---|---|---|---|
| A.5.1 | Policies for information security | Yes | Implemented | ISMS policy suite published and approved by CEO/CISO. Includes security policy, acceptable use, access control, and data classification policies. Reviewed annually. |
| A.5.2 | Information security roles and responsibilities | Yes | Implemented | CEO serves as CISO. Roles and responsibilities documented in ISMS policy. Security Officer role defined with authority for incident response, policy enforcement, and audit cooperation. |
| A.5.3 | Segregation of duties | Yes | Implemented | IAM roles enforce segregation. Deployment requires separate approval from code review. Database admin access separated from application access. Production access restricted. |
| A.5.4 | Management responsibilities | Yes | Implemented | CEO/CISO approves all security policies. Management commitment documented in ISMS scope. Resource allocation for security tools (Drata, AWS security services) approved. |
| A.5.5 | Contact with authorities | Yes | Implemented | Contact procedures established for NIST, HHS (HIPAA), state regulators, and law enforcement. Breach notification procedures documented per applicable laws. |
| A.5.6 | Contact with special interest groups | Yes | Implemented | Active participation in NIST PQC standardization community. Monitoring of IETF working groups for TLS/PQC standards. AWS security advisory subscriptions. |
| A.5.7 | Threat intelligence | Yes | Implemented | AWS Security Hub feeds, CVE monitoring (cargo audit, npm audit), NIST NVD subscriptions, cryptographic vulnerability tracking (lattice attacks, side-channel research). |
| A.5.8 | Information security in project management | Yes | Implemented | Security requirements included in all project specifications. Cryptographic changes require Security Officer review. New features undergo threat assessment before development. |
| A.5.9 | Inventory of information and other associated assets | Yes | Implemented | AWS asset inventory via Config and Resource Explorer. Application inventory maintained in ISMS documentation. Data classification applied to all information assets. |
| A.5.10 | Acceptable use of information and other associated assets | Yes | Implemented | Acceptable use policy published covering computing resources, data handling, internet usage, and communication tools. All personnel acknowledge on hire. |
| A.5.11 | Return of assets | Yes | Implemented | Offboarding checklist includes device return, access revocation (IAM, GitLab, Slack, AWS), and credential deactivation within 24 hours of termination. |
| A.5.12 | Classification of information | Yes | Implemented | Four-tier classification: Public, Internal, Confidential, Restricted. PHI classified as Restricted. Cryptographic key material classified as Restricted. Classification labels applied to documents and data stores. |
| A.5.13 | Labelling of information | Yes | Implemented | Policy documents labeled with classification level. Database columns tagged for sensitivity. Log entries tagged with PHI indicators. Email classification via subject prefix for Restricted content. |
| A.5.14 | Information transfer | Yes | Implemented | TLS 1.2+ for all external transfers. FHE for sensitive computation (data never decrypted in transit or at rest on server). Secure file transfer procedures documented. No plaintext PHI via email. |
| A.5.15 | Access control | Yes | Implemented | IAM least-privilege policies. API key authentication for services. Role-based access for AWS console. MFA enforced. Access reviews quarterly. |
| A.5.16 | Identity management | Yes | Implemented | Unique identifiers for all users. IAM users with individual credentials. Service accounts with dedicated IAM roles. No shared accounts. |
| A.5.17 | Authentication information | Yes | Implemented | Strong password requirements. MFA via authenticator app. API keys with minimum 128-bit entropy. SSH keys for GitLab access. Access key rotation every 90 days. |
| A.5.18 | Access rights | Yes | Implemented | Access provisioned on approval basis. Quarterly access reviews. Immediate revocation on role change or termination. Documented approval workflow. |
| A.5.19 | Information security in supplier relationships | Yes | Implemented | Vendor security assessment for all suppliers with access to H33 data (AWS, Stripe, Twilio, Drata). BAA agreements where applicable. Contractual security requirements. |
| A.5.20 | Addressing information security within supplier agreements | Yes | Implemented | Security requirements included in all vendor agreements. AWS shared responsibility model documented. Stripe PCI compliance verified. DPA agreements in place. |
| A.5.21 | Managing information security in the ICT supply chain | Yes | Implemented | Dependency scanning (cargo audit, npm audit). Pinned versions prevent supply chain substitution. CI pipeline validates dependency integrity. No external FHE/ZK dependencies. |
| A.5.22 | Monitoring, review and change management of supplier services | Yes | Implemented | AWS health dashboard monitoring. Stripe and Twilio status page subscriptions. Quarterly vendor review. Service level monitoring for all critical suppliers. |
| A.5.23 | Information security for use of cloud services | Yes | Implemented | Key control. Comprehensive cloud security policy (A.5.23 doc). AWS us-east-1, VPC isolation, encryption at rest/transit, CloudTrail, Security Groups, IAM least privilege. See Cloud Security Policy. |
| A.5.24 | Information security incident management planning and preparation | Yes | Implemented | Incident response plan documented with severity levels, escalation paths, communication templates, and recovery procedures. Team trained on procedures. |
| A.5.25 | Assessment and decision on information security events | Yes | Implemented | Security event triage procedure with P1-P4 severity classification. Security Officer assesses and classifies all reported events. Documented decision criteria. |
| A.5.26 | Response to information security incidents | Yes | Implemented | Incident response procedures with defined SLAs (P1: 15min, P2: 1hr, P3: 4hr, P4: 24hr). Containment, eradication, and recovery procedures documented. |
| A.5.27 | Learning from information security incidents | Yes | Implemented | Post-incident review required for all P1/P2 incidents within 5 business days. Root cause analysis, corrective actions, and lessons learned documented and tracked. |
| A.5.28 | Collection of evidence | Yes | Implemented | Evidence preservation procedures in incident response plan. CloudTrail log integrity validation. Immutable log storage in S3 with versioning. Chain of custody documentation. |
| A.5.29 | Information security during disruption | Yes | Implemented | Business continuity plan covers security controls during disruption. Multi-AZ deployment for availability. RDS automated backups with point-in-time recovery. Failover procedures tested. |
| A.5.30 | ICT readiness for business continuity | Yes | Implemented | Multi-AZ RDS with automated failover. ElastiCache replication. S3 cross-region replication for critical backups. Recovery time objectives (RTO) and recovery point objectives (RPO) documented. |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | Yes | Implemented | Compliance requirements register maintained (HIPAA, state privacy laws, NIST FIPS, PCI via Stripe, GDPR for EU customers). Legal review of regulatory changes quarterly. |
| A.5.32 | Intellectual property rights | Yes | Implemented | 108 patent claims pending. IP assignment in employment agreements. Open-source license compliance tracked. Proprietary cryptographic engine fully H33-owned. |
| A.5.33 | Protection of records | Yes | Implemented | Record retention policy: 7 years for audit trails, 365 days for operational logs, 90 days online. Encrypted storage (S3 SSE, RDS encryption). Access-controlled per classification. |
| A.5.34 | Privacy and protection of PII | Yes | Implemented | Privacy policy published. DPA available. FHE processing means server never accesses plaintext PII. Data minimization principles applied. HIPAA BAA available for healthcare customers. |
| A.5.35 | Independent review of information security | Yes | Partial | SOC 2 Type II audit in progress (Drata + external auditor). ISO 27001 certification planned. Internal reviews conducted by CEO/CISO. External penetration testing planned for Q2 2026. |
| A.5.36 | Compliance with policies, rules and standards for information security | Yes | Implemented | Drata continuous monitoring validates compliance across 100+ controls. Policy acknowledgment tracked for all personnel. Non-compliance tracked as security events. |
| A.5.37 | Documented operating procedures | Yes | Implemented | Operating procedures documented for deployment, incident response, backup/restore, access provisioning, and key management. Stored in version-controlled repository. |
A.6 People Controls (8 controls)
| Control | Name | Appl. | Status | Justification / Implementation Notes |
|---|---|---|---|---|
| A.6.1 | Screening | Yes | Implemented | Background checks conducted for all employees prior to hire. References verified. Identity verification completed. Screening proportional to role sensitivity (enhanced for crypto/security roles). |
| A.6.2 | Terms and conditions of employment | Yes | Implemented | Employment agreements include NDA, IP assignment, acceptable use, and information security responsibilities. Contractor agreements include equivalent security obligations. |
| A.6.3 | Information security awareness, education and training | Yes | Implemented | Security awareness training at onboarding and annually. Role-specific training for developers (secure coding) and ops (incident response). Phishing awareness campaigns. |
| A.6.4 | Disciplinary process | Yes | Implemented | Disciplinary process for security policy violations documented in employee handbook. Progressive discipline from warning to termination. Applied consistently. |
| A.6.5 | Responsibilities after termination or change of employment | Yes | Implemented | Confidentiality obligations survive termination (NDA). Offboarding checklist includes all access revocation. Post-employment IP restrictions per agreement. |
| A.6.6 | Confidentiality or non-disclosure agreements | Yes | Implemented | NDAs required for all employees and contractors. Mutual NDA template for vendors and partners. NDA covers proprietary crypto algorithms, customer data, and business operations. |
| A.6.7 | Remote working | Yes | Implemented | Remote work security policy covers: encrypted disk on all devices, VPN for sensitive access, screen lock policy, no public Wi-Fi for production access, secure home network requirements. |
| A.6.8 | Information security event reporting | Yes | Implemented | Key control. Comprehensive security event reporting procedure with channels (email, Slack, phone), severity levels (P1-P4), escalation paths, and non-retaliation policy. See Security Event Reporting Procedure. |
A.7 Physical Controls (14 controls)
H33 operates entirely on cloud infrastructure (AWS). Physical controls are implemented by AWS as part of the shared responsibility model. AWS data centers are SOC 2 Type II and ISO 27001 certified.
| Control | Name | Appl. | Status | Justification / Implementation Notes |
|---|---|---|---|---|
| A.7.1 | Physical security perimeters | Yes | Impl. via AWS | AWS data centers have multi-layer physical perimeters with security personnel, fencing, barriers, and surveillance. SOC 2 Type II audited annually. |
| A.7.2 | Physical entry | Yes | Impl. via AWS | AWS data center access controlled by badge, biometric, and man-trap entry systems. Access logged and monitored 24/7. H33 has no physical data center access. |
| A.7.3 | Securing offices, rooms and facilities | Yes | Impl. via AWS | AWS facilities secured per their SOC 2 / ISO 27001 certifications. H33 remote-first; employee device security policy covers home office requirements. |
| A.7.4 | Physical security monitoring | Yes | Impl. via AWS | AWS data centers monitored 24/7 with CCTV, intrusion detection, and security personnel. H33 monitors logical access to cloud resources. |
| A.7.5 | Protecting against physical and environmental threats | Yes | Impl. via AWS | AWS data centers designed for fire suppression, flood prevention, seismic resilience, and climate control. Multi-AZ deployment protects against single-site failure. |
| A.7.6 | Working in secure areas | Yes | Impl. via AWS | AWS restricts data center access to authorized personnel. H33 personnel do not access data centers. Remote work policy addresses secure working environment. |
| A.7.7 | Clear desk and clear screen | Yes | Implemented | Clear screen policy: auto-lock after 5 minutes of inactivity. Sensitive documents not printed. Screen privacy filters recommended for public settings. |
| A.7.8 | Equipment siting and protection | Yes | Impl. via AWS | AWS manages server equipment siting, cooling, and power. H33 employee devices: encrypted disk, anti-malware, screen lock, and physical security guidance. |
| A.7.9 | Security of assets off-premises | Yes | Implemented | Employee devices: full-disk encryption required, remote wipe capability, VPN for production access. Lost/stolen devices reported immediately per incident response procedure. |
| A.7.10 | Storage media | Yes | Implemented | AWS manages server storage media lifecycle (encryption, sanitization, destruction per NIST 800-88). H33 devices: encrypted storage, secure deletion procedures on decommission. |
| A.7.11 | Supporting utilities | Yes | Impl. via AWS | AWS data centers have redundant power (UPS, generators), cooling (N+1 HVAC), and network connectivity. SLA guarantees per AWS service agreements. |
| A.7.12 | Cabling security | Yes | Impl. via AWS | AWS manages data center cabling infrastructure. All H33 data transmission is encrypted (TLS 1.2+) regardless of physical cable security. |
| A.7.13 | Equipment maintenance | Yes | Impl. via AWS | AWS maintains server hardware. H33 employee device maintenance: OS updates enforced, scheduled security patch windows, anti-malware updates automatic. |
| A.7.14 | Secure disposal or re-use of equipment | Yes | Implemented | AWS handles server hardware disposal per NIST 800-88. H33 devices: secure wipe before disposal/reassignment, encryption key destruction, certificate of destruction for sensitive devices. |
A.8 Technological Controls (34 controls)
| Control | Name | Appl. | Status | Justification / Implementation Notes |
|---|---|---|---|---|
| A.8.1 | User endpoint devices | Yes | Implemented | Endpoint security policy: full-disk encryption, auto-lock, anti-malware, OS auto-updates, no unauthorized software. Remote wipe capability for mobile devices. |
| A.8.2 | Privileged access rights | Yes | Implemented | Privileged access (AWS admin, database admin, production deploy) restricted to minimum personnel. MFA required for all privileged access. Logged via CloudTrail. Quarterly review. |
| A.8.3 | Information access restriction | Yes | Implemented | Access restricted by IAM policies, security groups, and application-level authorization. Database access limited to application service role. S3 bucket policies restrict object access. |
| A.8.4 | Access to source code | Yes | Implemented | Source code in private GitLab repositories. Access controlled by GitLab groups and roles. Branch protection on main/master. No public read access. IP-restricted for admin operations. |
| A.8.5 | Secure authentication | Yes | Implemented | Auth1 multi-factor authentication (OTP via SMS/authenticator). Session management with secure cookies (httpOnly, Secure, SameSite). Rate limiting on auth endpoints. Account lockout after failures. |
| A.8.6 | Capacity management | Yes | Implemented | Elastic Beanstalk auto-scaling configured. CloudWatch alarms for capacity thresholds (CPU, memory, connections). RDS storage auto-scaling enabled. Load testing before major releases. |
| A.8.7 | Protection against malware | Yes | Implemented | Endpoint anti-malware on all devices. Rust memory safety prevents buffer overflow class of attacks. Input validation on all API endpoints. File upload scanning where applicable. |
| A.8.8 | Management of technical vulnerabilities | Yes | Implemented | Weekly cargo audit and npm audit scans. Critical CVEs patched within 48 hours. AWS Inspector for infrastructure scanning. Drata monitors for vulnerability management compliance. |
| A.8.9 | Configuration management | Yes | Implemented | Infrastructure configuration managed via Elastic Beanstalk .ebextensions. AWS Config tracks configuration changes. GitLab CI/CD ensures consistent deployments. Configuration drift detection via Drata. |
| A.8.10 | Information deletion | Yes | Implemented | Data deletion procedures per retention policy. Cryptographic key material zeroed on drop (zeroize crate). Database record deletion upon customer request. S3 lifecycle policies for automated expiration. |
| A.8.11 | Data masking | Yes | Implemented | FHE inherently masks data (server processes encrypted data, never sees plaintext). Log redaction for secrets, tokens, and PHI. API responses exclude internal identifiers. |
| A.8.12 | Data leakage prevention | Yes | Partial | FHE prevents server-side data exposure by design. No PHI in logs or error messages. Secret scanning in CI pipeline. DLP tooling for endpoint monitoring planned for Q3 2026. |
| A.8.13 | Information backup | Yes | Implemented | RDS automated backups (7-day retention, point-in-time recovery). S3 versioning and cross-region replication for critical data. Backup restore tested quarterly. |
| A.8.14 | Redundancy of information processing facilities | Yes | Implemented | Multi-AZ deployment for RDS and ElastiCache. ALB distributes across availability zones. Elastic Beanstalk auto-scaling across AZs. CloudFront global edge network. |
| A.8.15 | Logging | Yes | Implemented | Comprehensive logging: CloudTrail (all regions), CloudWatch Logs, VPC Flow Logs, ALB access logs, application logs (structured JSON). Log integrity validation enabled. |
| A.8.16 | Monitoring activities | Yes | Implemented | Key control. CloudWatch metrics/alarms, CloudTrail event monitoring, Drata continuous compliance monitoring, file integrity monitoring (SHA-256 baselines). See Monitoring Activities Policy. |
| A.8.17 | Clock synchronization | Yes | Implemented | AWS instances synchronize via Amazon Time Sync Service (NTP). All log timestamps in UTC. CloudTrail timestamps from AWS clock source. |
| A.8.18 | Use of privileged utility programs | Yes | Implemented | Privileged utilities (database tools, deployment scripts) restricted to authorized personnel. Usage logged. No root access on production instances except through approved processes. |
| A.8.19 | Installation of software on operational systems | Yes | Implemented | Software installation on production via CI/CD pipeline only. Manual installation prohibited. Base AMI hardened and versioned. Package installation requires deployment approval. |
| A.8.20 | Networks security | Yes | Implemented | VPC with public/private subnet isolation. Security groups with least-privilege rules. NACLs on all subnets. No public SSH/RDP. CloudFront WAF rules. |
| A.8.21 | Security of network services | Yes | Implemented | TLS 1.2+ on all network services. ALB with AWS-managed TLS policies. CloudFront HTTPS-only. VPC endpoints for AWS service access (avoids public internet). Service-level security monitoring. |
| A.8.22 | Segregation of networks | Yes | Implemented | Public subnet (ALB only) separated from private subnet (app, DB, cache). Security groups enforce inter-tier access rules. No direct internet access from private subnets (NAT gateway for outbound only). |
| A.8.23 | Web filtering | Yes | Partial | CloudFront WAF with managed rule sets (OWASP, IP reputation, rate limiting). Application-level rate limiting on all public endpoints. Full URL categorization filtering planned for Q3 2026. |
| A.8.24 | Use of cryptography | Yes | Implemented | Key control. Proprietary post-quantum cryptographic suite: BFV/CKKS FHE, Dilithium (ML-DSA / FIPS 204), Kyber (ML-KEM / FIPS 203), SPHINCS+ (SLH-DSA / FIPS 205), SHA3-256. AES-256 for storage encryption. TLS 1.2+ for transport. Montgomery NTT for performance. |
| A.8.25 | Secure development life cycle | Yes | Implemented | SDLC includes security requirements, threat modeling for crypto features, code review (mandatory), automated testing (unit, integration, benchmark), security scanning (cargo/npm audit), and deployment approval gates. |
| A.8.26 | Application security requirements | Yes | Implemented | Security requirements defined for each application: input validation, parameterized queries, authentication/authorization, encryption, logging. OWASP Top 10 compliance verified. |
| A.8.27 | Secure system architecture and engineering principles | Yes | Implemented | Defense in depth: FHE (data never decrypted on server), network isolation (VPC), encryption at rest/transit, IAM least privilege, monitoring. Post-quantum readiness built into architecture from inception. |
| A.8.28 | Secure coding | Yes | Implemented | Key control. Comprehensive secure coding standards for Rust (constant-time crypto, no unsafe without review, zeroize), Node.js (parameterized queries, input validation, httpOnly cookies), and JavaScript (no eval, CSP, textContent). See Secure Coding Standards. |
| A.8.29 | Security testing in development and acceptance | Yes | Implemented | Unit tests for all crypto operations. NIST KAT test vectors for PQ algorithms. Criterion benchmarks detect performance regressions. Integration tests for auth flows. Security scanning in CI pipeline. |
| A.8.30 | Outsourced development | Yes | Implemented | Contractor code subject to same review standards. NDA and IP assignment required. No outsourced access to production. Cryptographic code written in-house only (no outsourced FHE/PQC development). |
| A.8.31 | Separation of development, test and production environments | Yes | Partial | Production isolated in separate AWS environment. Staging environment mirrors production configuration. Development uses local environments. Full environment parity in progress (dedicated staging VPC planned Q2 2026). |
| A.8.32 | Change management | Yes | Implemented | All changes via pull request with mandatory review. CI pipeline validates before deploy. Production deployments require explicit approval. Rollback procedures documented. Change log maintained. |
| A.8.33 | Test information | Yes | Implemented | Production data not used in test environments. Synthetic test data generated for development. NIST test vectors used for crypto validation (public, non-sensitive). PHI never appears in test data. |
| A.8.34 | Protection of information systems during audit testing | Yes | Planned | Audit testing procedures to be formalized before first ISO 27001 audit. Drata evidence collection is non-intrusive (read-only API access). Penetration testing rules of engagement to be defined Q2 2026. |
Summary of Non-Fully-Implemented Controls
The following controls are not yet fully implemented. Each has a remediation plan with target dates:
| Control | Name | Status | Target Date | Remediation Plan |
|---|---|---|---|---|
| A.5.35 | Independent review | Partial | Q2 2026 | SOC 2 Type II audit in progress. External pen test scheduled for Q2 2026. ISO 27001 certification audit planned. |
| A.8.12 | Data leakage prevention | Partial | Q3 2026 | FHE provides strong DLP by design. Endpoint DLP tooling to be evaluated and deployed for employee devices. |
| A.8.23 | Web filtering | Partial | Q3 2026 | WAF rules active. Full URL categorization and content filtering to be added to CloudFront distribution. |
| A.8.31 | Environment separation | Partial | Q2 2026 | Production isolated. Dedicated staging VPC with full production parity to be provisioned. |
| A.8.34 | Audit testing protection | Planned | Q2 2026 | Formal procedures to be documented before first external ISO audit. Rules of engagement for pen testing to be defined. |
Document Control
| Version | Date | Author | Change Description |
|---|---|---|---|
| 1.0 | March 8, 2026 | Eric Beans | Initial Statement of Applicability — all 93 ISO 27001:2022 Annex A controls assessed |
Next scheduled review: March 2027
Questions about this document?
Contact our Security team at security@h33.ai